Agencies have 120 days to submit their post-quantum cryptography transition plans to the White House.
It didn’t take long for agencies to get specific marching orders on a new executive order on post-quantum cryptography adoption across government. And the Office of Management and Budget’s guidance doesn’t give agencies much time before they must begin executing, instead of just planning, the PQC transition.
The June 24 OMB guidance on the “execution of the migration to post-quantum cryptography” follows a June 22 executive order signed by President Donald Trump that directs accelerated deadlines for the PQC transition.
The goal of the effort is to adopt new algorithms that can protect sensitive data and systems from a cryptographically relevant quantum computer (CRQC).
“A CRQC is not yet known to exist, but steady advancements in the quantum computing field may yield a CRQC in the coming decade,” OMB Director Russell Vought writes in the memo. “The United States must be a leader in harnessing the numerous benefits that quantum computers will offer in fields ranging from pharmaceuticals to materials science while preparing for their ability to break widely used cryptographic algorithms.”
The memo gives agencies 120 days to submit a “PQC Migration Plan” to OMB and the Office of the National Cyber Director.
OMB prescribes a phased approach for agency plans. During phase one, between 2026 and 2027, agencies should focus on continuing to inventorying cryptographic systems, defining a strategy, spreading “awareness and training,” and other steps to “lay the foundation for a phased PQC migration approach,” according to the memo.
Between 2027 and 2028, under phase two in OMB’s memo, agencies should plan to focus on “pilots, executing early migrations of prioritized systems, and refining the migration plan based on lessons learned.”
The OMB memo notes that the General Services Administration is working with agencies “to test PQC-ready physical and logical access systems.” OMB encourages interested agencies to reach out to GSA’s Federal Identity, Cybersecurity, and Access Management (FICAM) program for more information.
In line with Trump’s executive order, OMB directs agencies to focus on “prioritized migration” to the use of PQC for key establishment for high-value assets and systems between 2028 and 2030 as part of phase three.
Phase four will involve agencies migrating to PQC for digital signatures for all high-value assets and systems before the end of 2031.
Finally, phase five in OMB’s mandate will focus on completing migration to PQC for all other systems by 2035.
OMB also makes clear that the PQC migration is not the sole responsibility of agency chief information officers and chief information security officers.
“Instead, a successful migration requires accountability and responsibility for each member of an agency’s leadership teams, both in the front office and in agency components,” Vought wrote. “Roles and responsibilities must be clearly defined.”
OMB also defines migration to PQC as a “primary information security consideration for agencies” as they modernize their systems.
“Through their inventories, agencies have already identified legacy systems for which migration would be too difficult or costly,” Vought’s memo continues. “Agencies must incorporate PQC upgrades into planned cloud migrations, software development lifecycles, and hardware refresh schedules to maximize efficiency and minimize costs. Systems incapable of supporting PQC or hybrid cryptography must be identified and given priority for replacement or decommissioning.”
The OMB memo applies to federal civilian agencies. The Defense Department is spearheading the transition to PQC for classified systems under a separate strategy signed out in April.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
